What you need to know about data breach notification
If your turnover is more than $3 million per year and you are governed by the Privacy Act or if you are a smaller business handling sensitive information then the new incoming Data Breach Notification Legislation will impact your business. The bill now only needs royal assent, which is a formality and then it becomes law.
What is the new law?
The law means that businesses that have discovered they have been breached or have lost data will need to report the incident to the Privacy Commissioner as well as notifying affected customers as soon as they become aware of the breach.
The notification must include a description of the data breach, what kind of information it was and how customers should respond to the security incident.
What's the impact of not reporting a breach?
Anyone not reporting a breach face fines of $360,000 for individuals and $1.8 million for businesses so it’s something everyone needs to take seriously.
What is classed as a data breach in the new law?
The law considers a breach to have occurred when data is accessed by an unauthorised entity, disclosure or loss of customer’s information held by a business and that generates a real risk of serious harm to individuals involved.
Data breaches are not limited to malicious actions, such as theft or hacking but could come from internal errors or process failures that cause accidental loss or disclosure.
What type of data and where?
Anything from personal details, financial information, credit reporting information, tax file number information etc. held on any device including mobiles, usb keys, hard drives, company network or paper records. The legislation has a very broad scope.
Here’s a few examples of where the legislation will apply –
- A mobile device containing company information is lost and there’s no way of managing it remotely or ensuring that is hasn’t been accessed.
- There is unauthorised access to a spreadsheet containing customer financial information.
- A member of staff mistakenly emails the information of one individual to another individual.
- A member of staff takes personal information of customers.
- A contractor working on a database containing customer information takes a copy on their laptop and has their laptop stolen.
- An IT staff member finds malicious software on a computer and discovers that confidential information has been held on that computer.
What harm could result from a breach?
- Identity theft
- Financial loss
- Threat to physical safety
- Threat to emotional wellbeing
- Loss of business
- Damage to reputation
- Loss of public trust
- Reputational damage
- Loss of assets
- Financial exposure
- Regulatory penalties
- Legal liability
What you need to do now
Before the legislation is introduced it is critically important that businesses already have a strategy in place so that there is no last-minute panic and costs explode as well as strategies that have been rushed and poorly implemented.
We would recommend looking at the following components as a starting point -
- Review your current data security strategy
- Develop a cyber security strategy that just doesn’t involve IT
- Educate your staff
- Develop a data breach strategy
If you need any assistance with your cyber strategy or you don't know where to start please call us on 1300 4 787 389 or email us at firstname.lastname@example.org.
About the Author
Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.